11.0 Using Migration Commands for Transfer ID

Before running Transfer ID, ensure that you have met all the prerequisites and prepared your servers as described in Section 4.2, Preparing the Source Server for Migration and Section 4.3, Preparing the Target Server for Migration.

Before you begin, keep in mind the following:

  • All the services, you need must be migrated to the target server.

  • When you start the Transfer ID process, you cannot perform any operations on the source server because the process locks the DIB (eDirectory database) on the source server.

To perform Transfer ID using CLI:

Parameters

Value

Description

sourceipaddress

172.16.100.101

The server whose identity is to be transferred to the target server.

projectpath

/var/opt/novell/migration/NewProj0

The path of the project created to perform Transfer ID.

 

 

 

  1. eDirectory Precheck: Executes the prerequisites for the Transfer ID process.

    1. Use the following command to perform an eDirectory precheck:

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      When prompted, enter the user name and password of the source server.

      This step can be executed multiple times to verify the health of the eDirectory tree. Execution of this step does not modify the source server or the target server.

    2. Check the availability of the hostname and IP address on the source server. The hostname or IP address can be resolved by using the DNS server, or using the /etc/hosts file on the source server (OES Linux), or using SYS:etc\hosts file on the NetWare server.

    3. The nam.conf file on the target server includes LUM settings that will be required later while performing the repair steps for migration. Create a backup of the /etc/nam.conf file on the target server by executing the following command:

      cp /etc/nam.conf <Project_path>/nam.conf.target

      For example, cp /etc/nam.conf /var/opt/novell/migration/NewProj0/nam.conf.target

    4. If the source server is OES 1, OES 2, or OES 11, create a backup of the /etc/nam.conf file on the source server.

    5. Retrieve and store the list of LUM-enabled groups:

      (Conditional) If the source server is NetWare, enter

      ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <target server short hostname> -a <admindn> -S <ldap-server-ip> --ldap-port <port number> -p <password> -l

      This command displays the list of groups that are LUM-enabled on the target server. These same groups must be LUM-enabled on completion of Transfer ID.

    6. If the source server is OES 1, OES 2, or OES 11, ensure that you have copied the SSH keys to avoid multiple password prompts on execution of this step.

      To copy the SSH keys:

      1. Enable SSH on the source server and target server.

      2. Enter the following command on the target server: # ssh-keygen -t rsa

        You are prompted for the following:

        1. Enter file in which to save the key (/root/.ssh/id_rsa), then press Enter. The SSH keys are stored in the default location.

        2. Enter passphrase (empty for no passphrase), press then Enter. We recommend you not to include passphrase.

      3. Copy the key value (that is, the output of the command above) to the source server:

        # scp ~/.ssh/id_rsa.pub root@<source-server>:/tmp

      4. Log in to the source server using ssh and add the key value to the list of authenticated keys.

        cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys

    7. If the source server is OES 1, OES 2, or OES 11, ensure that you copy the .nss.dat file to the target server. This file stores the nss user context information of the source server and is required when we repair the NSS admin object.

      Enter the following command on the target server:

      scp <Source-IP>:/var/opt/novell/nss/.nss.dat /tmp/

  2. Preparation: Removes eDirectory from the target server. The LUM association with the groups and users is no longer available because the Unix Workstation object is also removed.

    1. To remove the Unix Workstation object on the target server, enter

      /usr/bin/namconfig rm -a <admindn>

      For the SSL connection, use the -1 option and specify 636 as the default port number.

    2. To remove eDirectory from the target server, enter

      /opt/novell/eDirectory/bin/ndsconfig rm -c -a <admindn dot format> -w ADM_PASSWD --config-file /etc/opt/novell/eDirectory/conf/nds.conf

      Use dot format when passing values for -a option. For example, -a admin.novell

    3. To verify the health of eDirectory and to ensure that both the source server and target server are time-synchronized, enter

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      NOTE:When prompted, enter the user name and password of the source server.

  3. DIB Copy: Creates a backup of the eDirectory DIB (Directory Information Base) of the source server to the target server. This step locks the DIB of the source server and further operations are not permitted on the source server.

    migedir -s <source-server-ip> - u -A <logfile directory> -i -B

    For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -B

    After executing the command above, you are prompted for the user name and password of the source server. Enter the admin credentials when prompted.

    IMPORTANT:This command fails to execute if the replica ring is not in sync, or if the time is not synchronized between all the servers in the replica ring.

    NOTE:If you need to perform any operations on the source server, you must unlock the DIB. To unlock the DIB on a NetWare server, reload the DS.nlm file. On an OES 1 Linux server, OES 2 Linux, or OES 11 server, restart ndsd daemon.

  4. Shutdown Source: You need to shut down the source server.

  5. DIB Restore: Restores the eDirectory database that was backed up from the source server in Step 3 on the target server. This includes the NICI keys and the DIB identity.

    IMPORTANT:Ensure that you back up the target eDirectory database and NICI keys. For more information, see Section 11.1, Back up eDirectory Database and NICI Keys.

    1. At the command prompt of the target server, enter

      migedir -R

      After executing the command, you will be prompted for the administrator credentials for the source server.

      WARNING:If the backup in Step 3 was not successful, the DIB Restore step fails. A failure at this point might cause the eDirectory service on the target server to be unusable.

  6. IP Address Change: The IP address of the target server and its services is changed to the source server IP address.

    The scripts to be executed in this step are located in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange and /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folders.

    • To change the IP address of the server in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange folder, enter

      ruby server-yast-ipchange.rb --old-ip <target_server IP> --ip <source_serverIP>

      For example, ruby server-yast-ipchange.rb --old-ip 172.16.200.201 --ip 172.16.100.101

    • The ipchange folder contains a list of scripts that needs to be executed for changing the IP address. An example to change the IP address of the services on the target server by using the iprintipchange.sh script in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange folder:

      <server-script> <target_server IP> <source_server IP> <source_server IP> <source_server IP>

      For example, iprintipchange.sh 172.16.200.201 172.16.100.101 172.16.100.101 172.16.100.101

      You also need to run the remaining scripts for other services in the same manner.

      WARNING:Failure of the script to change the IP address or terminating the operation manually might cause the system to hang. If a service-specific IP address script fails to change the IP address, replace the <service>.conf file with <service>.orig file. For example, if eDirectory authentication fails on completion of the IP Change step, do the following:

      cp /etc/opt/novell/eDirectory/conf/nds.conf.orig /etc/opt/novell/eDirectory/conf/nds.conf

    • To change the IP address in the configuration files of each service on the target server, enter the following in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folder:

      ipchange.sh <oldip> <newip> <oldremoteip> <newremoteip> yes

      Here, oldip is the IP address of the existing server and newip is the new IP address assigned to the server. The oldremoteip and newremoteip is the IP address of the Master Replica server. If the Master Replica server IP address is not changed, then oldremoteip and newremoteip can be same.

      Example 11-1 For example, ipchange.sh 172.16.200.201 172.16.100.101 172.16.200.200 172.16.200.200 yes

      If you want to execute any additional scripts, copy them to the /ipchange/nonplugin folder in the same pattern as the existing scripts.

  7. Host Name Change: Host names of the services are changed to the source server hostname.

    1. To change the hostname of the server and the services, enter the following in the /opt/novell/migration/sbin/serveridswap/scripts/hostchange folder.

      <hostname-script> <targethostname> <sourcehostname>

      For example, server-hostname-change.sh aus-market201.marketing.com aus-market101.marketing.com

      If you want to execute any additional scripts copy them to the nonplugin folder in the same pattern as the existing scripts.

      For example, ./iprinthostchange.sh oldhostname newhostname oldmasterhostname newmasterhostname

      where oldhostname is the old server host name and newhostname is the new server host name. The master hostname is the hostname of the master server in the eDirectory tree. The oldmasterhostname and newmasterhostname can be the same if the master hostname is not changed during the Transfer ID migration.

      WARNING:Failure of the script to change the hostname or terminating the operation manually, might cause the system to hang. If a service-specific hostname script fails to change the hostname, replace the <service>.conf file with the <service>.orig file. For example, if iPrint authentication fails on completion of the Hostname Change step, do the following:

      cp /etc/opt/novell/iprint/httpd/conf/iprint_ssl.orig /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf

    2. On the console, enter

      hostname <sourceserver_name>

      This changes the hostname of the server when you relogin.

  8. Reinitialize Server: Reinitialize the target server with the IP address and hostname of the source server. In this step, eDirectory is also restarted.

    • To re initialize the server, enter

      /etc/init.d/network restart

    • To restart eDirectory, enter

      /etc/init.d/ndsd restart for restarting nds

    Next, you need to repair eDirectory, certificates for the server, LUM, and other OES services on the target server.

  9. Repair: Performs a repair of eDirectory, certificates, LUM, and services on the target server. The ndsrepair command is used to perform the eDirectory repair. The service-specific repairs run only for services that were migrated using the current project.

    1. eDirectory: Performs a repair of eDirectory.

      To repair eDirectory, enter

      /opt/novell/eDirectory/bin/ndsrepair -U

      To restart eDirectory, enter

      /etc/init.d/ndsd restart

      Ensure that you fix all errors before proceeding with the next step.

    2. Repair Certificates: To create the SAS object, enter

      /opt/novell/eDirectory/bin/ndsconfig add -m sas -a <admin dn> --config-file /etc/opt/novell/eDirectory/conf/nds.conf

      1. To regenerate the certificate on the target server, enter

        /opt/novell/oes-install/util/getSSCert -a <new_ip_address> -t <treename> -u <admindn dot format> - x <password>

        For example, /opt/novell/oes-install/util/getSSCert -a 172.16.100.101 -t TESTTREE -u cn=admin.o=novell -x novell

        The regenerated SSCert.der certificate is stored at the /etc/opt/novell/certs location.

      2. To convert the certificate to the pem format, enter

        openssl x509 -inform der -in /etc/opt/novell/certs/SSCert.der -outform pem -out /etc/opt/novell/certs/SSCert.pem

      3. To verify the health of eDirectory, enter

        ndscheck -h <new_ip_address> -a <admindn dot format> -w <adminpass> -F <Project_path>

        For example, ndscheck -h 172.16.100.101 -a cn=admin.o=novell -w novell -F /var/opt/novell/migration/Newproject1/ndscheck.log

        You must resolve all errors before proceeding to the next step. It is recommended that you backup the name.conf file before proceeding with the next step.

      4. (Conditional) To remove the existing nam.conf, enter

        rm /etc/nam.conf

    3. LUM: Creates or modifies the existing Unix Workstation object:

      • If the source server is NetWare, a new Unix Workstation object is created. Enter the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a <admindn comma format> -p <admin password> -S <ldap-server-ip> --ldap-port <port number> -u <Unix_config_object-dn>

        where Unix_config_object-dn is the value of the base-name parameter in the nam.conf file. A backup of the file was created in Step 1.c.

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        NOTE:If the value of the preferred-server parameter is the same as the IP address of the target server, then the value of the ldap-server-ip must be the same as the IP address of either the source server or the appropriate LDAP server.

      • If the source server is OES 1 Linux, OES 2 Linux, or OES 11, the Unix workstation object is retained. To modify the Unix workstation object, enter the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a <admindn comma format> -p <admin password> -S <ldap-server-ip> --ldap-port <port number> -u <Unix_config_object-dn>

        where Unix_config_object-dn is the value of the base-name parameter in the nam.conf file. A backup of the file was created in Step 1.d.

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        For example, ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a cn=admin,o=novell -p novell -S 172.16.200.201 --ldap-port 636 -u "o=novell"

      1. To copy the certificate for LUM operations, enter

        cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.<new_ip_address>.der

        For example, cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.172.16.100.101.der

      2. (Conditional) If the source server is NetWare, run the command to modify the users and groups listed in Step 1.e:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <source short hostname> -a <admin dn> -S <ldap-server-ip> --ldap-port <port number> -p <password> --grp <group FDN> -l <LUM enabled user and groups> [--check]

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        Parameters

        Description

        -H

        Specify the hostname of the source server.

        -a

        Specify the administrator’s name in LDAP format.

        -S

        Specify the IP address of the preferred LDAP eDirectory server.

        --ldap-port

        Specify the port for LDAP server to listen on.

        -p

        Specify the administrator’s password.

        --grp

        Specify the group to be modified.

        -l

        Specify the list of LUM-enabled user and groups in fully distinguished format.

        --check

        Verify LUM-enabled users and groups.

        When prompted, enter the password for the administrator.

      3. (Conditional) If the source server is OES 1 Linux, OES 2 Linux, or OES 11, modify the users and groups by entering the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-fix.rb -H <new_server short hostname> -a <admindn_comma_format> -p <password> -S <ldap-server-ip> --ldap-port <port number>

        For example, ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-fix.rb -H mark-nov101 -a cn=admin,o=novell -p novell -S 172.16.100.101 --ldap-port 636

      4. Refresh LUM Cache, then run the /usr/bin/namconfig cache_refresh to rebuild LUM cache.

      5. (Conditional) If the source server is OES linux server, enter

        chown -R wwwrun:www /var/opt/novell/nici/30

        You must change the ownership so that you can log in to iManager post-Transfer ID.

    4. To repair pool and volume objects, enter

      /opt/novell/migration/sbin/serveridswap/scripts/repair/volrepair.rb -a <admindn_comma_format> -p <password> -f <project_path>/fs

      For example, /opt/novell/migration/sbin/serveridswap/scripts/repair/volrepair.rb -a cn=admin,o=novell -p novell -f /var/opt/novell/migration/NewProj1/fs

    5. Services: Execute the repair scripts for the services that were migrated before performing Transfer ID.

      • To repair iPrint service, enter

        /opt/novell/migration/sbin/serveridswap/scripts/repair/iprintrepair.sh -s <new IP> -u <admindn comma format> -T <source type {-L|-N}> -p <ssl port> -S

        For example, /opt/novell...iprintrepair.sh -s 172.16.100.101 - u cn=admin,o=novell -T -L -p 636 -S

        Specify the -S option only when the LDAP server is configured for SSL. Specify SSL port only if it is configured.

      • To repair CIFS service, enter

        sh /opt/novell/migration/sbin/migcifs.sh -s <new IP> -p <ssl port> -a <admindn_ldap_format> {-f 1 <if ssl> | -f 0 <non-ssl>} -t <tree name> -d <target server IP> -q <port> -b <admin name> {-g 1 <if ssl> | -g 0 <non-ssl>} -m <project_path>/cifs/cifsSourceShares.tmp -S 3 -r

    6. Others: Execute the repair scripts for the services that are not included in the plug-ins of the Migration Tool.

      • NSS Admin Object: To repair the NSS admin object, execute the following on the target server, depending on the source server (NetWare or OES):

        /opt/novell/migration/sbin/serveridswap/scripts/repair/nss-adminrepair.sh -a <admindn dot format> -p <admin password> -s <source server [OES/NW]> -o <nssadmin object name with server context>

        where -a, -p, -s are mandatory parameters. If the source server is NetWare (NW), the -o option is required to create a new NSS admin object.

        For example: nss-adminrepair.sh -a admin.sales.novell -p test -s NW -o nssAdminUser.sales.novell

      • Common Proxy:

        • If the source is NetWare, to repair the common proxy on the target OES 11 SP2 server, execute the following:

          /opt/novell/proxymgmt/bin/mignwproxy.sh -d <LDAP Admin FDN> -w <LDAP Admin Password> -i <LDAP-Server-IP-Address> -p <LDAP Secure Port>

        • If the source is Linux, to perform common proxy migration on the target OES 11 SP2 server, see Section 32.2.1, Services that Are Using Common Proxy.

      • NetStorage: To repair NetStorage, enter the following commands:

        /opt/novell/xtier/bin/xsrvcfg -D

        /opt/novell/xtier/bin/xsrvcfg -d <ipaddress> -c <context>

        where context is the value of the attribute CONFIG_XTIER_USERS_CONTEXT in the /etc/sysconfig/novell/netstore11 file.

        /usr/sbin/rcnovell-xregd restart

        /usr/sbin/rcapache2 restart

  10. Restart Server: Restart the target server for the changes to take effect.

    After successful completion of the Transfer ID migration, the target server functions with the source server’s eDirectory identity.